Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS, insurance broker reach $3 million cyber breach settlement

    State Issues

    On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.

    State Issues 23 NYCRR Part 500 NYDFS Settlement Enforcement Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis
  • NYDFS updates cybersecurity fraud alert

    State Issues

    On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.

    State Issues NYDFS Privacy/Cyber Risk & Data Security State Regulators Data Breach 23 NYCRR Part 500 Covid-19

    Share page with AddThis
  • NYDFS, mortgage lender reach $1.5 million cyber breach settlement

    State Issues

    On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.

    State Issues State Regulators NYDFS Enforcement Privacy/Cyber Risk & Data Security Settlement Mortgages Data Breach 23 NYCRR Part 500

    Share page with AddThis
  • NYDFS announces cybersecurity fraud alert

    State Issues

    On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).

    State Issues NYDFS Privacy/Cyber Risk & Data Security State Regulators Data Breach 23 NYCRR Part 500

    Share page with AddThis
  • NYDFS enforces its cybersecurity regulation for the first time

    State Issues

    On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’ cybersecurity regulation (23 NYCRR Part 500), which took effect in March 2017 and established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) Charges filed against the company allege that a “known vulnerability” in the company’s online-based data storage platform was not fixed, which allowed unauthorized users to access restricted documents from roughly 2014 through 2019 by changing the ImageDocumentID number in the URL. Although an internal penetration test (i.e., an authorized simulated cyberattack) discovered the vulnerability in December 2018, NYDFS claims that the company did not take corrective action until six months later, when a well-known journalist publicized the problems.

    The company allegedly violated six provisions of 23 NYCRR Part 500, including failing to (i) conduct risk assessments for sensitive data stored or transmitted within its information systems; (ii) maintain appropriate, risk-based policies governing access controls to sensitive data; (iii) limit user-access privileges to information systems providing access to sensitive data, or periodically reviewing these access privileges; (iv) implement a risk assessment system to sufficiently identify the availability and effectiveness of controls for protecting sensitive data and the company’s information system; (v) provide adequate data security training for employees and affiliated title agents responsible for handling sensitive data; and (vi) encrypt sensitive documents or implement suitable controls to protect sensitive data. Additionally, NYDFS maintains that, among other things, the company misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by the company’s internal cybersecurity policies, and did not conduct a reasonable investigation into the exposure or follow recommendations made by its internal cybersecurity team.

    A hearing is scheduled for October 26 to determine whether violations occurred for the company’s alleged failure to safeguard consumer information.

    State Issues Privacy/Cyber Risk & Data Security Title Insurance Mortgages 23 NYCRR Part 500 NYDFS Enforcement

    Share page with AddThis
  • NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions

    Privacy, Cyber Risk & Data Security

    On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.

    Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500 State Issues Compliance

    Share page with AddThis
  • Final deadline approaching for NYDFS cybersecurity regulation

    Privacy, Cyber Risk & Data Security

    On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.

    Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.

    Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500 State Issues Third-Party

    Share page with AddThis
  • NYDFS updates cybersecurity FAQs to address use of utilization review agents

    Privacy, Cyber Risk & Data Security

    On October 25, NYDFS provided a new update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in Infobytes, as were the last updates in February, March, and August.

    The new update states that when a covered entity uses an independent “Utilization Review” agent (UR agent) who receives nonpublic information, the covered entity should treat the UR agent as a third-party service provider in order to properly assess and address any potential risks to their data and systems. NYDFS emphasizes that covered entities bear the responsibility for these protections.

    Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500 State Issues

    Share page with AddThis
  • NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs

    State Issues

    On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.

    In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:

    • Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
    • Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
    • Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
    • Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.

    Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.

    State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

    Share page with AddThis
  • NYDFS updates cybersecurity regulation FAQs

    Privacy, Cyber Risk & Data Security

    On March 23, the New York Department of Financial Services (NYDFS) provided a second update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017 and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in InfoBytes, as was the last update in February. The new update to the FAQs adds the following guidance:

    • An individual filing a Certificate of Compliance for his or her own individual license with no Board of Directors is acting as a Senior Officer as defined by 23 NYCRR 500 and should complete the filing process in that manner; and
    • Entity ID is defined as an entity’s state-issued unique license or charter number. Specific information is provided for insurance companies and mortgage loan originators in the FAQs.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Compliance 23 NYCRR Part 500

    Share page with AddThis

Pages